Vulnerability Note VU#260421

Squid fails to parse empty access control lists correctly

Overview

The Squid web proxy cache may fail to handle empty Access Control Lists (ACLs) in the intended manner.

I. Description

Squid functions as a web proxy and cache application for a number of protocols. However, Squid Access Control List (ACL) routines may not parse an empty list as intended. An empty list may be interpreted as a nonexistent list rather than a list containing no members. This may or may not be the intended behavior.

II. Impact

Unintended access may be granted to all members instead of the intended result of access being denied to all members.

III. Solution

Apply an update

This flaw has been patched in Squid 2.5.STABLE8. More details are available in the Squid Bugzilla bug #1166.
Team Squid recommends:

Pay attention to warnings from "squid -k parse" and do not use configurations where there are warnings about access controls in production.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Squid	Vulnerable	18-Feb-2005
Ubuntu Linux	Vulnerable	21-Feb-2005

References

www.squid-cache.org/bugs/show_bug.cgi?id=1166
www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch
http://www.debian.org/security/2005/dsa-667
http://secunia.com/advisories/14157/
http://secunia.com/advisories/14343/

Credit

Thanks to Team Squid for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

Date Public:	2004-12-21
Date First Published:	2005-02-21
Date Last Updated:	2005-02-22
CERT Advisory:
CVE-ID(s):	CAN-2005-0194
NVD-ID(s):	CAN-2005-0194
US-CERT Technical Alerts:
Metric:	0.27
Document Revision:	7

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader